CVE-2016-0724: Infoleak
First published: Mon Feb 22 2016(Updated: )
The (1) `core_enrol_get_course_enrolment_methods` and (2) `enrol_self_get_instance_info` web services in Moodle through 2.6.11, 2.7.x before 2.7.12, 2.8.x before 2.8.10, 2.9.x before 2.9.4, and 3.0.x before 3.0.2 do not consider the `moodle/course:viewhiddencourses` capability, which allows remote authenticated users to obtain sensitive information via a web-service request.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| composer/moodle/moodle | >=3.0.0<3.0.2 | 3.0.2 |
| composer/moodle/moodle | >=2.9.0<2.9.4 | 2.9.4 |
| composer/moodle/moodle | >=2.8.0<2.8.10 | 2.8.10 |
| composer/moodle/moodle | >=2.7.0<2.7.12 | 2.7.12 |
| composer/moodle/moodle | <=2.6.11 | |
| Moodle | <=2.6.11 | |
| Moodle | =2.7.0 | |
| Moodle | =2.7.1 | |
| Moodle | =2.7.2 | |
| Moodle | =2.7.3 | |
| Moodle | =2.7.4 | |
| Moodle | =2.7.5 | |
| Moodle | =2.7.6 | |
| Moodle | =2.7.7 | |
| Moodle | =2.7.8 | |
| Moodle | =2.7.9 | |
| Moodle | =2.7.10 | |
| Moodle | =2.7.11 | |
| Moodle | =2.8.0 | |
| Moodle | =2.8.1 | |
| Moodle | =2.8.2 | |
| Moodle | =2.8.3 | |
| Moodle | =2.8.4 | |
| Moodle | =2.8.5 | |
| Moodle | =2.8.6 | |
| Moodle | =2.8.7 | |
| Moodle | =2.8.8 | |
| Moodle | =2.8.9 | |
| Moodle | =2.9.0 | |
| Moodle | =2.9.1 | |
| Moodle | =2.9.2 | |
| Moodle | =2.9.3 | |
| Moodle | =3.0.0 | |
| Moodle | =3.0.1 | |
| Fedora | =22 | |
| Fedora | =23 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-52072
- http://lists.fedoraproject.org/pipermail/package-announce/2016-February/176502.html
- http://lists.fedoraproject.org/pipermail/package-announce/2016-January/176436.html
- http://www.openwall.com/lists/oss-security/2016/01/18/1
- http://www.securitytracker.com/id/1034694
- https://moodle.org/mod/forum/discuss.php?d=326205
- https://nvd.nist.gov/vuln/detail/CVE-2016-0724
- https://web.archive.org/web/20210622172957/http://www.securitytracker.com/id/1034694
- https://github.com/advisories/GHSA-hjrj-7wcj-7j3c (Advisory)
- https://github.com/moodle/moodle/commit/4323a973d57a41e19e039a850ad71ebcabae73c1
Frequently Asked Questions
What is the vulnerability severity of CVE-2016-0724?
CVE-2016-0724 has a medium severity rating due to its potential to allow unauthorized access to hidden courses.
How do I fix CVE-2016-0724?
To mitigate CVE-2016-0724, update Moodle to a version that includes the relevant security patches, specifically version 2.7.12 or later.
Which Moodle versions are affected by CVE-2016-0724?
CVE-2016-0724 affects Moodle versions up to 2.6.11, as well as various versions in the 2.7, 2.8, 2.9, and 3.0 series before their respective patched releases.
What are the potential impacts of CVE-2016-0724?
Exploitation of CVE-2016-0724 may allow users without the proper permissions to view hidden course content.
Is there a workaround for CVE-2016-0724 if I cannot update Moodle?
If updating is not immediately possible, restrict user access to the affected web services as a temporary mitigation for CVE-2016-0724.
- agent/type
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-hjrj-7wcj-7j3c
- alias/CVE-2016-0724
- agent/software-canonical-lookup
- agent/severity
- agent/weakness
- agent/references
- agent/description
- collector/github-advisory
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/first-publish-date
- agent/event
- agent/trending
- agent/source
- agent/author
- agent/tags
- agent/softwarecombine
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup-request
- collector/nvd-index
- package-manager/composer
- vendor/moodle
- canonical/moodle
- version/moodle/2.6.11
- version/moodle/2.7.0
- version/moodle/2.7.1
- version/moodle/2.7.2
- version/moodle/2.7.3
- version/moodle/2.7.4
- version/moodle/2.7.5
- version/moodle/2.7.6
- version/moodle/2.7.7
- version/moodle/2.7.8
- version/moodle/2.7.9
- version/moodle/2.7.10
- version/moodle/2.7.11
- version/moodle/2.8.0
- version/moodle/2.8.1
- version/moodle/2.8.2
- version/moodle/2.8.3
- version/moodle/2.8.4
- version/moodle/2.8.5
- version/moodle/2.8.6
- version/moodle/2.8.7
- version/moodle/2.8.8
- version/moodle/2.8.9
- version/moodle/2.9.0
- version/moodle/2.9.1
- version/moodle/2.9.2
- version/moodle/2.9.3
- version/moodle/3.0.0
- version/moodle/3.0.1
- vendor/fedoraproject
- canonical/fedora
- version/fedora/22
- version/fedora/23